On Fri, 2005-12-02 at 10:48 -0800, Blue Boar wrote: > You can make the authentication step as secure as you like (and granted, > that's what the thread is about, and what the OTP asked for) but don't > forget that the 0wner of your machine still has the option to take over > your transaction(s) post-authentication. That's why I emphasized that the use of tokens should not only be made for initial authentication, but also for *each transaction*. Any transaction can be hashed with a one-time code generated by a token and sent as a control with the transaction parameters. Any MITM interception and modification will invalidate that hash thus voiding the transaction. These things have been available since the mid-nineties, but are either still not applied, or improperly applied. There are a lot of cases where tokens are used for authentication, but only there, not preventing MITM attacks. (why should they, it's protected with SSL, right ;) So, yeah, we need to stress the fact that transactions need to be secured, not just initial auth. Cheers! Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports.
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/